Winter Is Coming: DHS Warns Businesses of Chilling New RAT Malware

DANIEL MILLER on November 22, 2017 | 1

The US Department of Homeland Security (DHS) recently publicized details about Fallchill malware, a remote administration tool (RAT) being used by Hidden Cobra – a group of malicious actors associated with the North Korean government – to penetrate and take control of targeted sites. Hidden Cobra, also known as Lazarus Group, is suspected of being responsible for major attacks on Sony Pictures, the Central Bank of Bangladesh and other international financial organizations.

Covert control of target networks

In a joint alert, the DHS and FBI warned that Fallchill has been used to target aerospace, telecom and finance companies. Users unintentionally download Fallchill by visiting compromised websites — an attack style known as a drive-by download. Once a site is infected, Hidden Cobra may add additional malware-as-a-service via an external tool or dropper. Multiple proxies are used to hide communications between Hidden Cobra actors and the infected site.

Fallchill enables Hidden Cobra to conduct a wide range of remote operations on the systems it targets, including:

  • Retrieving device information
  • Creating, starting and terminating local processes
  • Searching, reading, writing, moving and executing files
  • Modifying file and directory timestamps

Ominously, the Hidden Cobra menace then "swallows its own tail", evading detection by deleting malware and artifacts from infected systems.

A new addition to an ominous arsenal

Hidden Cobra is also associated with the Volgmer Trojan, a backdoor Trojan that provides covert access to compromised systems. The DHS identified at least 94 static IP addresses connected with Volgmer infrastructure, as well as dynamic IP addresses in numerous countries.

According to the DHS, Volgmer has been used by North Korean hackers since 2013 or earlier, and is distributed primarily via spear-phishing attacks. It is used to gather system information and list directories, update service registry keys, download and upload files, execute commands, and terminate processes.

Add depth to security training with browser isolation

The “success” of North Korean government-related attacks on Sony Pictures, Bangladesh’s Central Bank and other targets emphasizes the simple fact that even technologically sophisticated multinational organizations are vulnerable to browser-borne attacks. Employee training is essential, but insufficient to protect networks from determined malicious actors like Hidden Cobra. A layered approach to endpoint and network security that includes remote isolation of Internet browsing is essential for protecting your organization from browser-borne malware and the malicious agents that deploy it.

Contact us now to learn more about protecting your organization with Ericom Shield remote browser isolation.

Author | 24 Blog Posts

Daniel Miller

Director of Product Marketing | Ericom Software

Most Popular Articles